nvSwitch Claims#

Both Local and Remote nvSwitch verifier will create the following claims:

Version 3.0#

Applicability: Attestation SDK C++ and Attestation SDK Python

Overall Claims

ID

Claim

Conditions for the Claim to be Valid

Values

1

x-nvidia-ver

Claims version

String

2

iss

Claims Issuer

String

3

x-nvidia-overall-att-result

This claim indicates if the overall attestation results is successful or failed.

true / false

4

sub

Subject of the claims

String

5

eat_nonce

Nonce used for the Attestation process

String

6

submods

Contains the digest of a detached Claims-Set

Object

Detached Claims

ID

Claim

Conditions for the Claim to be Valid

Values

1

x-nvidia-switch-arch-check

The switch Architecture in the Attestation report e.g. LS10

String

2

measres

The runtime measurements from the Reference Integrity Measurements (RIM) match the runtime measurements in the Attestation report.

success / fail

3

x-nvidia-switch-bios-version

A string representing the switch BIOS Version e.g. 96.00.9F.00.01

String

4

x-nvidia-switch-attestation-report-cert-chain {

“x-nvidia-cert-expiration-date”: “DateinISO”,

“x-nvidia-cert-status”: “CertStatus”,

“x-nvidia-cert-ocsp-status”: “OCSPStatus”,

“x-nvidia-cert-revocation-reason”: “RevocationReason”
}

This claim indicates the following:
1. Expiration date: This field indicates the certificate’s expiration date in ISO 8601 format.

2. Attestation report certificate status
a. valid - The certificate is valid and not expired or revoked
b. expired - The certificate has expired
c. invalid - The certificate is not valid or unknown
d. revoked - The certificate has revoked

3. Attestation report cert OCSP status - good, revoked, unknown

4. Revocation Reason: If the attestation report certificate is revoked, this field contains the revocation reason

Nested String Claims

5

x-nvidia-switch-attestation-report-cert-chain-fwid-match

This claim indicates if the FWID of the certificate matches with the Attestation report.

true / false

6

x-nvidia-switch-bios-rim-cert-chain {

“x-nvidia-cert-expiration-date”: “DateinISO”,

“x-nvidia-cert-status”: “CertStatus”,

“x-nvidia-cert-ocsp-status”: “OCSPStatus”,

“x-nvidia-cert-revocation-reason”: “RevocationReason”
}

This claim indicates the following:
1. Expiration date: This field indicates the certificate’s expiration date in ISO 8601 format.

2. Vbios rim certificate status
a. valid - The certificate is valid and not expired or revoked
b. expired - The certificate has expired
c. invalid - The certificate is not valid or unknown
d. revoked - The certificate has revoked

3. Vbios rim cert OCSP status - good, revoked, unknown

4. Revocation Reason: If the vbios rim certificate is revoked, this field contains the revocation reason

Nested String Claims

7

x-nvidia-switch-bios-rim-version-match

This field indicates if the vbios rim file version matches the version fetched from the switch information.

true / false

8

x-nvidia-switch-attestation-report-parsed

This claim indicates if the Attestation Report has been successfully parsed.

true / false

9

x-nvidia-switch-attestation-report-nonce-match

The nonce in the Attestation report matches with the initial input to the switch while generating the report.

true / false

10

x-nvidia-switch-attestation-report-signature-verified

The signature on the Attestation report is verified.

true / false

11

x-nvidia-switch-bios-rim-fetched

This field indicates if the verifier can fetch bios RIM from RIM service.

true / false

12

x-nvidia-switch-bios-rim-schema-validated

The bios RIM has been confirmed to be in accordance with the swid schema

true / false

13

x-nvidia-switch-bios-rim-signature-verified

This claim indicates if the VBIOS RIM signature is verified.

true / false

14

x-nvidia-switch-bios-rim-measurements-available

The bios Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood.

true / false

15

eat_nonce

Nonce used for the Attestation process

String

16

hwmodel

switch Hardware Model

String

17

ueid

Universal Entity Id

String

18

oemid

Firmware Manufacture Id

String

19

iss

EAT token issuer

String

Version 2.0#

Applicability: Attestation SDK Python only

Overall Claims

ID

Claim

Conditions for the Claim to be Valid

Values

1

x-nvidia-ver

Claims version

String

2

iss

Claims Issuer

String

3

x-nvidia-overall-att-result

This claim indicates if the overall attestation results is successful or failed.

true / false

4

sub

Subject of the claims

String

5

eat_nonce

Nonce used for the Attestation process

String

6

submods

Contains the digest of a detached Claims-Set

Object

Detached Claims

ID

Claim

Conditions for the Claim to be Valid

Values

1

x-nvidia-switch-arch-check

The switch Architecture in the Attestation report e.g. LS10

String

2

measres

The runtime measurements from the Reference Integrity Measurements (RIM) match the runtime measurements in the Attestation report.

success / fail

3

x-nvidia-switch-bios-version

A string representing the switch BIOS Version e.g. 96.00.9F.00.01

String

4

x-nvidia-switch-attestation-report-cert-chain-validated

This claim indicates if the following checks completed successfully for Attestation report certificate chain:
1. Certificate chain is valid.
2. Certificate Chain belongs to NVIDIA PKI
3. Certificate is not expired
4. Certificate is not revoked
5. FWID of the certificate matches with the Attestation report

true / false

5

x-nvidia-switch-attestation-report-parsed

This claim indicates if the Attestation Report has been successfully parsed.

true / false

6

x-nvidia-switch-attestation-report-nonce-match

The nonce in the Attestation report matches with the initial input to the switch while generating the report.

true / false

7

x-nvidia-switch-attestation-report-signature-verified

The signature on the Attestation report is verified.

true / false

8

x-nvidia-switch-bios-rim-fetched

This field indicates if the verifier can fetch bios RIM from RIM service.

true / false

9

x-nvidia-switch-bios-rim-schema-validated

The bios RIM has been confirmed to be in accordance with the swid schema

true / false

10

x-nvidia-switch-bios-rim-cert-validated

This claim indicates if the following checks completed successfully for bios RIM:
1. Certificate chain is valid.
2. Certificate Chain belongs to NVIDIA PKI
3. Certificate is not expired
4. Certificate is not revoked.

true / false

11

x-nvidia-switch-bios-rim-signature-verified

For the claim to be valid, the following conditions must be met:
1. The bios RIM schema must be as expected.
2. The bios RIM certificate chain must be verified.
3. OCSP validation must pass for each certificate in the RIM certificate chain.
4. The bios RIM signature must be verified, and the bios version must match the version fetched from the switch information.

true / false

12

x-nvidia-switch-bios-rim-measurements-available

The bios Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood.

true / false

13

eat_nonce

Nonce used for the Attestation process

String

14

hwmodel

switch Hardware Model

String

15

ueid

Universal Entity Id

String

16

oemid

Firmware Manufacture Id

String

17

iss

EAT token issuer

String

Reporting an issue to Nvidia#

If the remediations above do not help users fix the problems, they can report their issues at NVIDIA/nvtrust#issues.